Home > Uncategorized > Rescue data from disk in Ubuntu

Rescue data from disk in Ubuntu

I was asked to audit a disk in order to see any deleted file. For this task, I used Ubuntu Rescue Remix, an Ubuntu live CD customized with lots of applications for data recovery and forensics. Using a live CD for data rescuing is really useful, as you won’t be writing any data on the disk, and therefore you won’t overwrite anything you want to rescue. On the other hand, using a live CD you’ll be able to turn on the computer, even if the disk is physically damaged.

Once you’ve loaded the live CD, you’ll be ready to start typing Linux commands as usual. Yet, if you are not using an English keyboard, you’ll probably be interested in changing the keyboard layout. Just type loadkeys and your keyboard’s layout code. For example, if you have a Spanish keyboard execute:

loadkeys es

Remember that these commands must be run with root privileges, so type sudo before every command if the systems complains about permissions.

You may want to store the image in a remote server. Let’s use samba to mount a remote folder.

apt-get install smbfs
mkdir /mnt/recovery
smbmount //SERVERIP/recovery /mnt/recovery/ -o user=sambausername
cd /mnt/recovery

Finally, we create the image using ddrescue. Remember that you will need at least as much room as the capacity of the disk you want to rescue.

ddrescue --no-split /dev/sda image_file log_file

If the disk is damaged you might get better results running successive passes.

sudo ddrescue -r 3 -C /dev/sda image_file log_file

Once you have the image done, you can use Autopsy to recover any data from the disk.

Advertisements
Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: